ClawHub

AI春联

Security checks across malware telemetry and agentic risk

Overview

This paid couplet-generation skill mostly matches its purpose, but its payment records and instructions contain mismatched service identity and under-disclosed local storage that users should review carefully.

Review before installing or paying. Confirm the actual payee, amount, and config file used; verify the separate clawtip payment skill; avoid entering sensitive text as the couplet prompt; and ask the publisher to fix the service-identity mismatch, config mismatch, generation command mismatch, local-storage disclosure, and thought-process instruction before normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill declares only network.outbound and credential.read, yet its documented/order-processing behavior implies local file read/write operations such as reading configs and persisting orders. This permission mismatch is dangerous because it obscures the skill’s real capabilities from reviewers and users, weakening least-privilege controls and making unexpected data access harder to audit.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims to be a simple paid spring-couplet generator, but the described behavior includes local persistence, payment-data handling, key/config reads, cryptographic processing, and unrelated residual metadata from another service. This mismatch is high risk because hidden or unrelated functionality can mask unsafe data handling, inherited insecure logic, or repurposed code paths that process credentials and payment artifacts outside the user’s expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to include the model's thought process in user-facing Chinese responses creates an explicit channel for leaking hidden reasoning, prompt content, or sensitive contextual data. That is unrelated to the business purpose of generating spring couplets and increases the chance of exposing internal decision-making or security-relevant information.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Telling the agent to install and invoke another skill if it is missing expands the trust boundary and capabilities beyond the declared scope of the spring-couplet service. This is risky because it can introduce unreviewed code, new permissions, and transitive access to payment or network operations without explicit user approval or manifest disclosure.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The persisted order metadata hard-codes a different service identity and description than the advertised skill, using values associated with a praise service rather than a Spring Festival couplet generator. This can mislead downstream verification, billing, audit, or review systems and is especially suspicious in a paid skill because it obscures what the user is actually being charged for.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code and saved order payload indicate the system is actually creating orders for a different service category than the one presented to users. In a payment flow, this kind of identity and purpose mismatch can facilitate deceptive charging, bypass policy checks, or cause downstream systems to treat the transaction as belonging to another approved skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The rule allowing the workflow to skip payment if the user provides an order number and an order file contains a payCredential is overly permissive and underspecified. Ambiguous trust in user-supplied order identifiers or local order files can enable unauthorized reuse of prior payment credentials, cross-order confusion, or bypass of intended payment verification.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
Mandating Chinese interaction and requiring disclosure of the model's thinking without user opt-in is unsafe because it combines unnecessary behavior coercion with explicit reasoning exposure. In this payment-enabled skill, that increases the chance of leaking internal prompts, verification logic, or sensitive contextual details during transactional interactions.

Natural-Language Policy Violations

High
Confidence
86% confidence
Finding
Forcing Chinese-only interaction without user choice is primarily a scope and usability issue rather than a direct exploit path. However, in a payment workflow it can still impair informed consent, error handling, and user understanding of charges or credential-related messages.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes order information containing user question text, payment metadata, and encrypted payment payload to disk without any visible disclosure or consent mechanism. In a paid content-generation skill, the question may contain sensitive user-provided text, so silent local persistence increases privacy and data-retention risk if files are later exposed, reused, or improperly secured.

Ssd 3

Medium
Confidence
97% confidence
Finding
An explicit instruction to reveal hidden reasoning is a direct data-leakage risk because chain-of-thought may contain internal policies, prompt fragments, security constraints, or sensitive context not meant for users. In a skill that also handles payment flow and credential-related steps, any extra leakage channel is more dangerous because it may expose operational details attackers can exploit.

Ssd 3

Medium
Confidence
96% confidence
Finding
Repeating the requirement to include the model's thought process reinforces a persistent natural-language exfiltration path for internal reasoning. Repetition makes accidental compliance more likely and increases the chance that sensitive internal context will be surfaced during ordinary user interaction.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal